Mailing List Archive

Ticket #13436: Potential crash in CC708 append_cc function.
#13436: Potential crash in CC708 append_cc function.
------------------------------------+---------------------------
Reporter: David Hampton | Owner: David Hampton
Type: Bug Report - Crash | Status: assigned
Priority: minor | Milestone: 30.1
Component: MythTV - Captions | Version: Master Head
Severity: medium | Keywords:
Ticket locked: 0 |
------------------------------------+---------------------------
This function calls the rightsize_buf function, which attempts to
reallocate a buffer if there isn't enough space. It is possible, but
extremely unlikely, that the reallocation will fail and the buffer will be
replaced with a nullptr. Any attempt to dereference that nullptr will
crash the frontend.

--
Ticket URL: <https://code.mythtv.org/trac/ticket/13436>
MythTV <http://www.mythtv.org>
MythTV Media Center
Re: Ticket #13436: Potential crash in CC708 append_cc function. [ In reply to ]
#13436: Potential crash in CC708 append_cc function.
--------------------------------+-------------------------------
Reporter: David Hampton | Owner: David Hampton
Type: Bug Report - Crash | Status: closed
Priority: minor | Milestone: 30.1
Component: MythTV - Captions | Version: Master Head
Severity: medium | Resolution: fixed
Keywords: | Ticket locked: 0
--------------------------------+-------------------------------
Changes (by David Hampton <mythtv@…>):

* status: assigned => closed
* resolution: => fixed


Comment:

In [changeset:"d0356aba3c9394200a86dcab7d1cf17a558c5eab/mythtv"
d0356aba3c/mythtv]:
{{{
#!CommitTicketReference repository="mythtv"
revision="d0356aba3c9394200a86dcab7d1cf17a558c5eab"
tidy: Fix rare null pointer dereference in cc708decoder.cpp.

The clang-tidy "non-null parameter checker" pointed out to possibility
of the cc708 decoder dereferencing through a null pointer. This code
starts with a default buffer size of 512 and then attempts to allocate
a larger buffer when necessary (in this case, if a single subtitle is
more than 512 characters.) If the reallocation fails, the code would
end up storing the nullptr error return into the buffer pointer, and
then dereference it an an attempt to store the new characters. Catch
this rare condition and drop the characters that won't fit into the
existing buffer.

Fixes #13436.
}}}

--
Ticket URL: <https://code.mythtv.org/trac/ticket/13436#comment:1>
MythTV <http://www.mythtv.org>
MythTV Media Center
Re: Ticket #13436: Potential crash in CC708 append_cc function. [ In reply to ]
#13436: Potential crash in CC708 append_cc function.
--------------------------------+-------------------------------
Reporter: David Hampton | Owner: David Hampton
Type: Bug Report - Crash | Status: closed
Priority: minor | Milestone: 30.1
Component: MythTV - Captions | Version: Master Head
Severity: medium | Resolution: fixed
Keywords: | Ticket locked: 0
--------------------------------+-------------------------------

Comment (by David Hampton <mythtv@…>):

In [changeset:"ff4c7158f4fb241760e77fad7c2a8eef1a4eb5c3/mythtv"
ff4c7158f/mythtv]:
{{{
#!CommitTicketReference repository="mythtv"
revision="ff4c7158f4fb241760e77fad7c2a8eef1a4eb5c3"
tidy: Fix rare null pointer dereference in cc707decoder.cpp.

The clang-tidy "non-null parameter checker" pointed out to possibility
of the cc708 decoder dereferencing through a null pointer. This code
starts with a default buffer size of 512 and then attempts to allocate
a larger buffer when necessary (in this case, if a single subtitle is
more than 512 characters.) If the reallocation fails, the code would
end up storing the nullptr error return into the buffer pointer, and
then dereference it an an attempt to store the new characters. Catch
this rare condition and drop the characters that won't fit into the
existing buffer.

Fixes #13436.

(cherry picked from commit d0356aba3c9394200a86dcab7d1cf17a558c5eab)
}}}

--
Ticket URL: <https://code.mythtv.org/trac/ticket/13436#comment:2>
MythTV <http://www.mythtv.org>
MythTV Media Center